EasyManuals Logo

HPE FlexNetwork 5510 HI Series Security Configuration Guide

HPE FlexNetwork 5510 HI Series
551 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #311 background imageLoading...
Page #311 background image
298
Step
Command
Remarks
supports only DN for signature
authentication.
Configuring the IKE keepalive feature
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the
keepalive timeout time, you must configure the keepalive interval on the local device. If the peer
receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec
SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive feature:
• Configure IKE DPD instead of the IKE keepalive feature unless IKE DPD is not supported on
the peer. The IKE keepalive feature sends keepalives at regular intervals, which consumes
network bandwidth and resources.
• The keepalive timeout time configured on the local device must be longer than the keepalive
interval configured at the peer. Since it seldom occurs that more than three consecutive packets
are lost on a network, you can set the keepalive timeout three times as long as the keepalive
interval.
To configure the IKE keepalive feature:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Set the IKE SA keepalive
interval.
ike keepalive interval
seconds
By default, no keepalives are sent
to the peer.
3. Set the IKE SA keepalive
timeout time.
ike keepalive timeout
seconds
By default, IKE SA keepalive
never times out.
Configuring the IKE NAT keepalive feature
If IPsec traffic passes through a NAT device, you must configure the NAT traversal feature. If no
packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted,
disabling the tunnel from transmitting data to the intended end. To prevent NAT sessions from being
aged, configure the NAT keepalive feature on the IKE gateway behind the NAT device to send NAT
keepalive packets to its peer periodically to keep the NAT session alive.
To configure the IKE NAT keepalive feature:
Step
Command
Remarks
1. Enter system view.
system-view
N/A
2. Set the IKE NAT keepalive
interval.
ike nat-keepalive
seconds The default interval is 20 seconds.
Configuring IKE DPD
DPD detects dead peers. It can operate in periodic mode or on-demand mode.
• Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of
dead peers, but consumes more bandwidth and CPU.

Table of Contents

Other manuals for HPE FlexNetwork 5510 HI Series

Preview: Configuration Guide
Configuration Guide572 pages
Preview: Fundamentals Configuration Guide
Fundamentals Configuration Guide209 pages
Preview: Layer 3 - Ip Routing Configuration Guide
Layer 3 - Ip Routing Configuration Guide486 pages
Preview: Network Management And Monitoring Configuration Guide
Network Management And Monitoring Configuration Guide331 pages
Preview: Macsec Configuration Guide
Macsec Configuration Guide27 pages
Preview: Acl And Qos Configuration Guide
Acl And Qos Configuration Guide114 pages
Preview: Mpls Configuration Guide
Mpls Configuration Guide505 pages
Preview: Openflow Configuration Guide
Openflow Configuration Guide39 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork 5510 HI Series and is the answer not in the manual?

HPE FlexNetwork 5510 HI Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork 5510 HI Series
CategorySwitch
LanguageEnglish

Related product manuals